CMSC 334: Computer Security

Fall 2018

Doug Szajda

    Course Syllabus

  • Instructor: Doug Szajda, dszajda@richmond.edu, 219 Jepson Hall, (804)-287-6671 (campus ext. 6671).
  • Meeting Times:
    • Lecture: MW 10:30 - 11:45 am, Ryland 213.
    • Consulting Lab: F 10:30 - 11:20 pm, Jepson G22.
  • Recommended Text:
    • Security in Computing (4th Edition) by C. Pfleeger and S. Pfleeger.
  • Office Hours: TBD Other days and times by appointment.

    You are welcome to drop by my office at any time, but be aware that there will be occasions on which I will be unable to see students. Also, though I usually keep my office door open during office hours, at other times I may keep my door closed for either noise or climate control purposes. You should be sure to knock before concluding that I am not in my office!
  • Course Summary: This is a 1 unit course on computer security. We will focus on the principles of security, covering the basics of cryptography, program security, operating system security, and network security. We will be reading and discussing some current research in the field well as some ``classic'' primary sources. Since implementation is an important aspect of security, we will selectively implement protocols. The course has a programming component, though it is somewhat different than most UR courses in that you are often asked to modify existing code, or ``hack'' existing code.
  • Pre-requisites: The pre-requisite for this course is CMSC 301 (Computer Architecture) or permission of the instructor. Though a knowledge of computer networks is helpful, it is not required. Students are expected to be able to implement significant projects in C and Java. Readings and lectures will refer to C, Java, and at times, assembly, so you need to be able to understand these. Regarding assembly code, I want to be clear: As you know from CS 301, writing assembly code can be tricky. Understanding it is usually less difficult. We will run across examples of assembly code written for a variety of architectures and platforms. You need to gain some comfort with being able to understand this code, given explanations of the assembly syntax being used. I also expect that I will need to clarify some aspects of the assembly code we encounter.
  • Lectures: When we are not discussing papers, I will be lecturing. The notes for these lectures will be posted prior to class on the lecture notes page of the class web. I recommend that you make it a habit to download these notes before hand. Having the notes means less note taking on your part, which should allow you to better focus on the lectures (at least that is the theory).
  • Discussions: As mentioned above, parts of our class time will be spent discussing papers. It is expected (of course) that you have read the paper carefully. Though not really a "core class" type of discussion, I expect that you will be as prepared for discussion as one is expected to be in the core class. In particular, I expect you to be able to identify and discuss the main points of the paper, and to have opinions on the ideas or concepts expressed in the paper. This being said, I realize that you are not security experts, and so may not understand everything you read in the papers (frankly, not even security experts can be expected to understand everything in every paper). When parts of a paper confuse you, I expect that you will make a list of such parts and will have prepared specific and relevant questions to ask during the discussion. I know it sometimes goes against human nature, but please, never feel hesitant about asking questions. The alternative is to asking questions is remaining confused, which is usually not a good outcome.
  • Attendance Policy: Regular attendance for the entire class time is expected! Over the past few years I've noticed a disturbing trend -- some students disappear for weeks on end. So that you are aware, CS program policy states that students who miss more than 4 total sessions (including lecture and lab) receive a grade of V for the course. I will be strictly adhering to this policy! If you are one of those students who wonder why attendance is necessary if you are meeting the required goals of the course, then I would ask why you are at UR and not enrolled in an online university. Here are some reasons.
    • At some point in the future, you may ask for a reference or letter for a job or graduate school. In that letter I will be expected to comment on your demeanor during lecture, the quality of your comments (and whether you regularly comment), whether you are engaged in learning the material (as opposed to surfing the web from the back of the room), your interactions with your classmates, and your general level of participation.
    • Showing up for class, on time and ready to work, is an indication that you have the necessary discipline to succeed in this field.
    • Though slides and any texts or papers are thorough, they do not cover everything. Nor are they always effective at communicating the primary ideas and takeaways from the material. This is what I provide. If you're not in class to hear it, you likely won't know it.
    If you should miss a class due to illness, you are responsible for obtaining class notes! (That is, I will not give you a private encore of the lecture).
  • Labs: There is no formal laboratory component to this course. Instead I will hold a special office hour each week (the consulting lab, which for us is on Fridays, from 10:30 am - 11:20 am) for the exclusive use of students in this class.
  • Grades:
    Grade Component Date Percent of Grade
    Participation (paper discussions) N/A 5%
    Exam 1 distributed Friday, September 28; due by 11:59:59 pm, Friday, October 5 20%
    Exam 2 distributed Friday, November 2; due 11:59:59 pm, Friday November 9 20%
    Programming Assignments Avg. N/A 15%
    Final Project N/A 15%
    Final Examination distributed Friday, December 7; due 11:59:59pm, Wednesday, December 12 25%

  • Exams: All exams in this class will be take-home. There is no limit on the amount of time you may spend working the exam, provided you submit the completed exam on time. Unlike with the reading and programming assignments, you may not receive any assistance in solving exam problems, with the exception of advice I may offer. All exams are open book, open note. Be aware that because you have access to course resources, I am justified in asking more detailed questions than I might otherwise ask.

  • The Myth of Grade Negotiation: I have noticed over the past few years a shift in the way students view grades on exams and assignments. Some (but certainly not all) students view these grades as merely an initial offer in a process of negotation. That is a myth. The grade you recieve on assignments is final! The grades I assign are carefully considered. Attempting to earn an extra couple of points is a waste of your time and mine, as well as being orthogonal to the prime purpose of the course, which is to learn the material. I am very happy to meet to discuss assignments and exams so that you may better understand the material, but will not be changing your grade.
  • My "Managerial" Philosophy: I apologize for having to mention this, especially since you are almost all third or fourth years and thus do not need this clarification. Every once in a while, however, I encounter a student who tests the boundaries, and for that student, I like to have a few things in writing.

    My basic philosophy is this: You are adults. I treat you as if you are adults, and expect you to act as adults. For the 1 out of 100 students that does not understand what this means, here is a little clarification of some (though not all) of the ideals that this entails:
    • You begin assigned work in a timely manner (this includes reading).
    • You complete assigned work on time (this includes reading).
    • You complete assigned work and hand it in on time.
    • If an emergency arises (as they sometimes do) that precludes handing in work or taking an exam, you contact me before the work (or exam) is due.
    • You accept responsibility for your actions (and, as the case may be, your inactions).
    • Most important, just because some specific behavior is not mentioned here, that does not mean it's "OK" to engage in it. You know what reasonable expectations are for students, as do I. I treat you like adults and expect you'll act responsibly.
  • My ``exam discussion policy": Once a student has begun an exam, I will answer (for that student) only those questions that concern clarification of the intent of a problem. That is, I will not answer questions that seek to determine whether the problem was done correctly, or whether a particular approach is wise (or unwise).
  • The Other Student Criteria: When grading tests and homework, I use the Other Student Criteria (OSC). All solutions must meet this. The Other Student Criteria states that a solution should provide enough written explanation so that another student in the class (who could not complete the assignment) could read the submitted material and, without asking questions, understand a correct answer.
  • Collaborating on homework/programming assignments: Programming projects and homework may be discussed with others subject to the

    ``Empty Hands'' policy --- you may freely discuss ideas and approaches with other students subject to the restriction that each student must leave the discussion without any written or otherwise recorded material. In your homework write-up or source code, you must also document any person or source that you consulted for that project. Failure to comply with this policy will be treated as an Honor Code violation.

    One final note: some of the programming assignments for this semester may have been assigned in previous semesters. While you may consult previous class members concerning projects, you are not permitted, under any circumstances, to receive or view either hard copies or electronic copies of all or parts of their project submissions! You can use your friends to get help, but they should not be providing you with their code (just as in an English class, you might discuss the works of Dickens with a friend, but should not use the paper that they submitted as the basis for your own submission).
  • Note: Many of the handouts and presentation slides used in this course use material borrowed from colleagues in the security field. I am particularly grateful to Anthony Joseph, Vern Paxson, Doug Tygar, Umesh Vazirani, and David Wagner of the University of California, Berkeley, for generously allowing me to use their material as the basis for my material (including, in some cases, simply using their material word-for-word).
  • Disability Support Services: If you believe you have a disability requiring an accommodation, please follow the procedures listed on the University of Richmond Disability Services website [https://disability.richmond.edu] to begin the accommodations process as soon as possible. If you already have a University of Richmond Disability Accommodation Notice (DAN), please inform me as soon as possible, so that I am aware of your accommodations. No student will receive accommodations of any kind without a DAN.
  • Additional University Resources: If you experience difficulties in this course, do not hesitate to consult with me. There are also other resources that can support you in your efforts to meet course requirements.

    • Academic Skills Center (http://asc.richmond.edu), 289-8626 or 289-8956): Assists students in assessing their academic strengths and weaknesses; honing their academic skills through teaching effective test preparation, critical reading and thinking, information conceptualization, concentration, and related techniques; working on specific subject areas (e.g., calculus, chemistry, accounting, etc.); and encouraging campus and community involvement.

      Hours at the Center are: Sunday through Wednesday 3:00-9:00 p.m. and Thursday 3:00-7:00 p.m. On-call tutors are also available.

    • Boatwright Library Research Librarians (http://library.richmond.edu/help/ask/ or 289-8876): Research librarians assist students with identifying and locating resources for class assignments, research papers and other course projects. Librarians also provide research support for students and can respond to questions about evaluating and citing sources. Students can email, text or IM or schedule a personal research appointment to meet with a librarian in his/her office on the first floor Research and Collaborative Study area.

    • Career Services (http://careerservices.richmond.edu/ or 289-8547): Can assist you in exploring your interests and abilities, choosing a major or course of study, connecting with internships and jobs, and investigating graduate and professional school options. We encourage you to schedule an appointment with a career advisor early in your time at UR.

    • Counseling and Psychological Services (https://wellness.richmond.edu/caps/index.html or 289-8119): Assists currently enrolled, full-time, degree-seeking students in improving their mental health and well-being, and in handling challenges that may impede their growth and development. Services include short-term counseling and psychotherapy, crisis intervention, psychiatric consultation, and related services.

    • Speech Center (http://speech.richmond.edu or 289-6409): Assists with preparation and practice in the pursuit of excellence in public expression. Recording, playback, coaching and critique sessions offered by teams of student onsultants trained to assist in developing ideas, arranging key points for more effective organization, improving style and delivery, and handling multimedia aids for individual and group presentations.

    • Writing Center (http://writing.richmond.edu or 289-8263): Assists writers at all levels of experience, across all majors. Students can schedule appointments with trained writing consultants who offer friendly critiques of written work.
Last Modified: August 20, 2014 Contact: Doug Szajda